|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
nginx: three vulnerabilities of the DNS client
Synthesis of the vulnerability
An attacker who controls a DNS server can use several vulnerabilities of nginx.
Vulnerable products: Debian, Fedora, nginx, openSUSE Leap, RHEL, Ubuntu.
Severity of this weakness: 2/4.
Consequences of an attack: privileged access/rights, denial of service on service.
Hacker's origin: internet server.
Number of vulnerabilities in this bulletin: 3.
Creation date: 27/01/2016.
Références of this bulletin: CERTFR-2016-AVI-039, CVE-2016-0742, CVE-2016-0746, CVE-2016-0747, DSA-3473-1, FEDORA-2016-bf03932bb3, FEDORA-2016-fd3428577d, openSUSE-SU-2016:0371-1, RHSA-2016:1425-01, USN-2892-1, VIGILANCE-VUL-18828.
Description of the vulnerability
Several vulnerabilities were announced in nginx.
An attacker can send a malicious packet, in order to make the server access an invalid memory address and so trigger a denial of service. [severity:2/4; CVE-2016-0742]
An attacker can force the usage of a freed memory area in the processing of response record of type CNAME, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-0746]
An attacker can trigger an excessive resource use with responses of type CNAME, in order to trigger a denial of service. [severity:2/4; CVE-2016-0747]
Full Vigil@nce bulletin... (Free trial)
Computer vulnerabilities tracking service
Vigil@nce provides a systems vulnerabilities note. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce vulnerability database contains several thousand vulnerabilities. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.